The EnableCommonNameFallbackForLocalAnchors policy will be deprecated soon. It will not be available on Chrome OS 66 or later. Even if you leave the policy enabled, the Chrome client will no longer implement the policy and it will be removed from future administrative templates.
Only server certificates that have a subjectAlternativeName extension that contains a DNS name or IP address are trusted (allowed). If an end user running Chrome 66 or later tries to access a site where the certificate isn’t allowed, they’ll see a warning that the certificate isn’t valid and can’t be trusted.